regress/usr.sbin/bgpd/config/bgpd.conf.example.ok


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

ASN = "65001"
peer1 = "10.1.0.2"
peer2 = "10.1.0.3"
AS 65001
router-id 127.0.0.1
socket "/var/run/bgpd.sock.0"


prefix-set "mynetworks" { 192.0.2.0/24  }


rde rib Adj-RIB-In no evaluate
rde rib Loc-RIB rtable 0 fib-update yes

neighbor 10.2.1.1 {
	remote-as 65023
	local-address 10.0.0.8
	enforce neighbor-as yes
	enforce local-as yes
	ipsec esp in spi 1010 sha1 XXXXXX aes XXXXXX
	ipsec esp out spi 1012 sha1 XXXXXX aes XXXXXX
	announce IPv4 unicast
}
neighbor 10.0.0.0/24 {
	descr "template for local peers"
	enforce neighbor-as no
	enforce local-as yes
	announce IPv4 unicast
}
neighbor 10.0.2.0 {
	descr "upstream2"
	remote-as 65004
	local-address 10.0.0.8
	enforce neighbor-as yes
	enforce local-as yes
	ipsec ah ike
	announce IPv4 unicast
}
neighbor 10.0.1.0 {
	descr "upstream"
	remote-as 65003
	multihop 2
	passive
	local-address 10.0.0.8
	holdtime 180
	holdtime min 3
	export none
	enforce neighbor-as yes
	enforce local-as yes
	tcp md5sig
	announce IPv4 unicast
}
group "peering AS65002" {
	neighbor 10.1.0.2 {
		descr "AS 65001 peer 1"
		remote-as 65002
		enforce neighbor-as yes
		enforce local-as yes
		tcp md5sig
		announce IPv4 unicast
	}
	neighbor 10.1.0.3 {
		descr "AS 65001 peer 2"
		remote-as 65002
		local-address 10.0.0.8
		enforce neighbor-as yes
		enforce local-as yes
		ipsec esp ike
		announce IPv4 unicast
	}
}

group "peering AS65042" {
	neighbor 10.2.0.2 {
		descr "peering AS 65042"
		remote-as 65042
		local-address 10.0.0.8
		enforce neighbor-as yes
		enforce local-as yes
		ipsec ah ike
		announce IPv4 unicast
	}
	neighbor 10.2.0.1 {
		descr "peering AS 65042"
		remote-as 65042
		local-address 10.0.0.8
		enforce neighbor-as yes
		enforce local-as yes
		ipsec ah ike
		announce IPv4 unicast
	}
}


allow from ibgp 
allow from any prefix 0.0.0.0/0 prefixlen 8 - 24 
allow from any prefix ::/0 prefixlen 16 - 48 
match from any community 65535:0 set { localpref 0 }
allow from any prefix 23.128.0.0/10 prefixlen 24 - 28 
deny from any prefix 0.0.0.0/8 prefixlen >= 8 
deny from any prefix 10.0.0.0/8 prefixlen >= 8 
deny from any prefix 100.64.0.0/10 prefixlen >= 10 
deny from any prefix 127.0.0.0/8 prefixlen >= 8 
deny from any prefix 169.254.0.0/16 prefixlen >= 16 
deny from any prefix 172.16.0.0/12 prefixlen >= 12 
deny from any prefix 192.0.2.0/24 prefixlen >= 24 
deny from any prefix 192.88.99.0/24 prefixlen >= 24 
deny from any prefix 192.168.0.0/16 prefixlen >= 16 
deny from any prefix 198.18.0.0/15 prefixlen >= 15 
deny from any prefix 198.51.100.0/24 prefixlen >= 24 
deny from any prefix 203.0.113.0/24 prefixlen >= 24 
deny from any prefix 224.0.0.0/4 prefixlen >= 4 
deny from any prefix 240.0.0.0/4 prefixlen >= 4 
deny from any prefix ::/8 prefixlen >= 8 
deny from any prefix 100::/64 prefixlen >= 64 
deny from any prefix 2001:2::/48 prefixlen >= 48 
deny from any prefix 2001:10::/28 prefixlen >= 28 
deny from any prefix 2001:db8::/32 prefixlen >= 32 
deny from any prefix 2002::/16 prefixlen >= 16 
deny from any prefix 3ffe::/16 prefixlen >= 16 
deny from any prefix fc00::/7 prefixlen >= 7 
deny from any prefix fe80::/10 prefixlen >= 10 
deny from any prefix fec0::/10 prefixlen >= 10 
deny from any prefix ff00::/8 prefixlen >= 8 
deny from any AS 23456 
deny from any AS 64496 - 64511 
deny from any AS 64512 - 65534 
deny from any AS 65535 
deny from any AS 65536 - 65551 
deny from any AS 65552 - 131071 
deny from any AS 4200000000 - 4294967294 
deny from any AS 4294967295 
allow to ibgp 
allow to ebgp prefix-set "mynetworks" large-community 65001:1:1